b'           OFFICE OF\n    THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n           RISKS POSED BY\n       DIGITAL PHOTOCOPIERS\n      USED IN SOCIAL SECURITY\n      ADMINISTRATION OFFICES\n\n\n      May 2012    A-06-11-11155\n\n\n\n\nAUDIT REPORT\n\x0c                                    Mission\nBy conducting independent and objective audits, evaluations and investigations,\nwe inspire public confidence in the integrity and security of SSA\xe2\x80\x99s programs and\noperations and protect them against fraud, waste and abuse. We provide timely,\nuseful and reliable information and advice to Administration officials, Congress\nand the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n   \xef\x82\xa6 Conduct and supervise independent and objective audits and\n       investigations relating to agency programs and operations.\n   \xef\x82\xa6   Promote economy, effectiveness, and efficiency within the agency.\n   \xef\x82\xa6   Prevent and detect fraud, waste, and abuse in agency programs and\n       operations.\n   \xef\x82\xa6   Review and make recommendations regarding existing and proposed\n       legislation and regulations relating to agency programs and operations.\n   \xef\x82\xa6   Keep the agency head and the Congress fully and currently informed of\n       problems in agency programs and operations.\n\n   To ensure objectivity, the IG Act empowers the IG with:\n\n   \xef\x82\xa6 Independence to determine what reviews to perform.\n   \xef\x82\xa6 Access to all information necessary for the reviews.\n   \xef\x82\xa6 Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nWe strive for continual improvement in SSA\xe2\x80\x99s programs, operations and\nmanagement by proactively seeking new ways to prevent and deter fraud, waste\nand abuse. We commit to integrity and excellence by supporting an environment\nthat provides a valuable public service while encouraging employee development\nand retention and fostering diversity and innovation.\n\x0c                                          SOCIAL SECURITY\nMEMORANDUM\n\nDate:   May 17, 2012                                                            Refer To:\n\nTo:     The Commissioner\n\nFrom:   Inspector General\n\nSubject: Risks Posed by Digital Photocopiers Used in Social Security Administration Offices\n        (A-06-11-11155)\n\n\n        OBJECTIVE\n        Our objective was to determine the status of corrective actions the Social Security\n        Administration (SSA) took to address recommendations in our September 2008 report,\n        Risks Posed by Digital Photocopiers Used in Social Security Administration Offices\n        (A-06-08-28076).\n\n        BACKGROUND\n        The Privacy Act of 1974 1 provides the framework for regulating the collection,\n        maintenance, use, and dissemination of personal information by Federal executive\n        branch agencies. In particular, the Privacy Act requires that each Agency\n\n                  . . . establish appropriate administrative, technical and physical safeguards to\n                  insure the security and confidentiality of records and to protect against any\n                  anticipated threats or hazards to their security or integrity which could result in\n                  substantial harm, embarrassment, inconvenience or unfairness to any\n                  individual on whom information is maintained. 2\n\n        The loss of personally identifiable information (PII) can lead to identity theft or other\n        fraudulent use of the information, which could result in harm, embarrassment, and\n        inconvenience to individuals. Accordingly, SSA should safeguard sensitive PII,\n        including PII on its hard drives.\n\n        SSA\xe2\x80\x99s Office of Supply and Warehouse Management\xe2\x80\x99s Reprographic Management\n        Team (RMT) procures and manages reprographic equipment (photocopiers), services,\n\n        1\n         The Privacy Act of 1974, as amended, Pub. L. No. 93-579,88 Stat. 1896 (codified as amended at\n        5 U.S.C. \xc2\xa7 552a).\n        2\n            5 U.S.C. \xc2\xa7 552a(e)10.\n\x0cPage 2 - The Commissioner\n\n\nand supplies for all SSA offices nationwide. According to SSA officials, all photocopiers\npurchased since September 2008 contain hard drives capable of storing images of\ncopied or printed material. Leaving these hard drives unprotected or unaccounted for\ncan increase the potential for identity theft. From January 1 through December 31,\n2010, SSA disposed of 409 digital photocopiers that contained hard drives capable of\nstoring document images.\n\nOur 2008 audit found that SSA had not effectively mitigated the risks posed by the\npotential exposure of sensitive information. Specifically, SSA did not sanitize or destroy\nphotocopier hard drives upon disposal, as required, or include a non-disclosure\nstatement in its agreement with vendors that precluded the disclosure of sensitive\ninformation when photocopiers were taken off-site for repair. Additionally, SSA\xe2\x80\x99s\ninventory tracking system did not distinguish between stand-alone photocopiers with no\nhard drives and photocopiers with hard drives or account for purchases in a timely\nmanner. Therefore, we recommended that SSA:\n\n1. Establish procedures for sanitizing or destroying photocopier hard drives,\n\n2. Amend the maintenance provision in blanket purchase agreements (BPA) 3 to\n   include the required non-disclosure statement by the servicing vendor when\n   photocopiers are sent off-site for repair,\n\n3. Implement an automated photocopier inventory system that includes the capability of\n   tracking the existence of hard drives, and\n\n4. Record all digital photocopier purchases to the automated tracking system within a\n   reasonable time after the equipment is received and installed.\n\nThe Agency agreed with all four recommendations. (See Appendix B for additional\ninformation on our scope and methodology.)\n\nRESULTS OF REVIEW\n\nSSA took action to address our 2008 recommendations. SSA established procedures\nfor sanitizing or destroying photocopier hard drives and established a requirement that\ncontractors certify they sanitized, removed, or destroyed hard drives before removing\nphotocopiers from SSA premises. SSA incorporated hard drive sanitization policies into\nphotocopier Blanket Purchase Agreements (BPA) and incorporated additional security\nprovisions in photocopier maintenance agreements. 4\n\n\n3\n A BPA is a simplified method for filling anticipated repetitive needs for supplies or services by\nestablishing the equivalent of \xe2\x80\x9ccharge accounts\xe2\x80\x9d with qualified sources of supply.\n4\n  At the time of our review, SSA had incorporated hard drive sanitization requirements in maintenance\nagreements with 11 of 12 photocopier vendors. SSA is working with the 12th vendor to include similar\nrequirements in the maintenance agreement.\n\x0cPage 3 - The Commissioner\n\n\nSSA implemented a new automated system that tracks whether photocopiers have hard\ndrives and improves the timeliness of recording photocopier purchases in its inventory\nrecords.\n\nHowever, while SSA requires that contractors certify that photocopier hard drives were\nsanitized, removed, or destroyed prior to removal from SSA premises, we found that\nSSA rarely obtained the required certifications. Also, the automated inventory system\nSSA used to track photocopiers did not accurately identify the number of photocopiers\nin service at the time of the audit.\n\nWe are not aware of any incidents where PII breaches occurred as a result of loss of\ninformation stored on photocopier disk drives. However, as long as this vulnerability\nexists, SSA should continue proactively reducing the risk of exposing sensitive\ninformation to unauthorized individuals.\n\nHARD DRIVE CERTIFICATIONS NOT OBTAINED\n\nSSA continued disposing of photocopiers without obtaining verification that vendors\nerased or destroyed the hard drives. SSA requires completion of a hard drive\ncertification form before vendors remove photocopiers from SSA\xe2\x80\x99s premises. 5 However,\nSSA could only provide required sanitization certifications for 1 of 30 sampled disposed\nphotocopiers. RMT staff acknowledged that SSA did not require that vendors that\nremoved old photocopiers complete these certifications. 6 SSA needs to ensure vendors\nfollow Agency policies before removing photocopiers from SSA facilities.\n\nAUTOMATED PHOTOCOPIER INVENTORY TRACKING SYSTEM\n\nSSA\xe2\x80\x99s photocopier inventory included approximately 2,600 photocopiers that had been\ndisposed of and were no longer in SSA\xe2\x80\x99s possession. RMT officials are required to\nmaintain accurate reprographic equipment inventory records. 7\n\nAccording to RMT staff, problems with SSA\xe2\x80\x99s automated inventory system prevented\ndeletion of thousands of photocopiers that were no longer in service. To determine the\nnumber or location of photocopiers in service, SSA had to rely on the corporate\nknowledge of RMT staff members familiar with photocopier purchases and disposals.\nRMT officials were aware of this problem and stated they were working with\nprogrammers to correct the error.\n\n\n\n5\n    Administrative Instructions Manual System (AIMS), Materiel Resources (MR) 03.08.03 A.2.\n6\n  AIMS, MR 03.08.03 B.7 requires that vendor technicians complete a hard drive sanitization certificate\nbefore removing a photocopier from SSA premises unless a general hard drive certification for a\nparticular model is on file. RMT did not have general certifications on file for any of the copier models\nincluded in our sample.\n7\n    AIMS, MR 04.04.02 C.\n\x0cPage 4 - The Commissioner\n\n\nCONCLUSION AND RECOMMENDATION\nSSA had addressed our previous recommendations; however, further improvement is\nneeded to ensure photocopier hard drives are erased or destroyed before disposal.\nTherefore, we recommend that SSA enforce its requirement that photocopier vendors\ncertify in writing that photocopier hard drives are erased or destroyed before removal\nfrom SSA premises.\n\nAGENCY COMMENTS AND OIG RESPONSE\nSSA agreed with our recommendation. See Appendix C for the Agency\xe2\x80\x99s comments.\n\n\n\n\n                                         Patrick P. O\xe2\x80\x99Carroll, Jr.\n\x0c                                     Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\nAPPENDIX C \xe2\x80\x93 Agency Comments\nAPPENDIX D \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                          Appendix A\n\nAcronyms\nAIMS          Administrative Instructions Manual System\nBPA           Blanket Purchase Agreement\nMR            Materiel Resources\nPII           Personally Identifiable Information\nPub. L. No.   Public Law Number\nRMT           Reprographic Management Team\nSSA           Social Security Administration\nU.S.C.        United States Code\n\x0c                                                                       Appendix B\n\nScope and Methodology\nTo accomplish our objectives, we:\n\n\xe2\x80\xa2   Reviewed the applicable sections of the Privacy Act of 1974, Federal Acquisition\n    Regulations, Administrative Instructions Manual System, and Information Systems\n    Security Handbook.\n\n\xe2\x80\xa2   Considered the security implications of the Office of Management and Budget\n    Memorandum M-07-16, Safeguarding Against and Responding to the Breach of\n    Personally Identifiable Information, May 22, 2007.\n\n\xe2\x80\xa2   Reviewed relevant Office of the Inspector General reports.\n\n\xe2\x80\xa2   Reviewed inventory print screens, Blanket Purchase Agreements, and Task Orders.\n\n\xe2\x80\xa2   Interviewed Social Security Administration (SSA) employees from the Division of\n    Property Management\xe2\x80\x99s Radiographic Management Team.\n\n\xe2\x80\xa2   Performed limited testing on SSA\xe2\x80\x99s photocopier inventory list.\n\n\xe2\x80\xa2   Obtained a listing identifying all photocopiers SSA disposed during Calendar Year\n    2010, and reviewed disposition documentation for 30 randomly selected\n    photocopiers.\n\nWe performed audit work between May 2011 and February 2012 in Dallas, Texas. We\ntested the data obtained for our audit and determined them to be sufficiently reliable to\nmeet our objective. The entity audited was SSA\xe2\x80\x99s Office of Supply and Warehouse\nManagement under the Office of the Deputy Commissioner for Budget, Finance and\nManagement. We conducted this performance audit in accordance with generally\naccepted government auditing standards. Those standards require that we plan and\nperform the audit to obtain sufficient, appropriate evidence to provide a reasonable\nbasis for our findings and conclusions based on our audit objectives. We believe the\nevidence obtained provides a reasonable basis for our findings and conclusions based\non our audit objectives.\n\x0c                  Appendix C\n\nAgency Comments\n\x0c                                      SOCIAL SECURITY\n\n\nMEMORANDUM\n\n\nDate:   May 14, 2012                                                            Refer To: S1J-3\n\nTo:     Patrick P. O\xe2\x80\x99Carroll, Jr.\n        Inspector General\n\nFrom:   Dean S. Landis /s/\n        Deputy Chief of Staff\n\nSubject: Office of the Inspector General Draft Report, \xe2\x80\x9cRisks Posed by Digital Photocopiers Used in\n        Social Security Administration Offices\xe2\x80\x9d (A-06-11-11155)\xe2\x80\x94INFORMATION\n\n        Thank you for the opportunity to review the draft report. Please see our attached comments.\n\n        Please let me know if we can be of further assistance. You may direct staff inquiries to\n        Amy Thompson at (410) 966-0569.\n\n        Attachment\n\n\n\n\n                                                       C-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL DRAFT REPORT,\n\xe2\x80\x9cRISKS POSED BY DIGITAL PHOTOCOPIERS USED IN SOCIAL SECURITY\nADMINISTRATION OFFICES\xe2\x80\x9d (A-06-11-11155)\n\n\nRecommendation 1\n\nEnforce its requirement that photocopier vendors certify in writing that photocopier hard drives\nare erased or destroyed before removal from SSA premises.\n\nResponse\n\nWe agree.\n\n\n\n\n                                               C-2\n\x0c                                                                         Appendix D\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n   Ron Gunia, Director, Dallas Audit Division\n\n   Jason Arrington, Audit Manager\n\nAcknowledgments\n\nIn addition to those named above:\n\n   Ashley Moore, Auditor\n\nFor additional copies of this report, please visit our Website at http://oig.ssa.gov/ or\ncontact the Office of the Inspector General\xe2\x80\x99s Public Affairs Staff at (410) 965-4518.\nRefer to Common Identification Number A-06-11-11155.\n\x0c                            DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Committee on the Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Oversight and Government\nReform\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security Pensions\nand Family Policy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c                         Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of an Office of Audit (OA), Office of Investigations\n(OI), Office of the Counsel to the Inspector General (OCIG), Office of External Relations (OER), and Office of\nTechnology and Resource Management (OTRM). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, the OIG also has a comprehensive Professional Responsibility and Quality\nAssurance program.\n                                                  Office of Audit\nOA conducts financial and performance audits of the Social Security Administration\xe2\x80\x99s (SSA) programs and\noperations and makes recommendations to ensure program objectives are achieved effectively and efficiently.\nFinancial audits assess whether SSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of\noperations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s\nprograms and operations. OA also conducts short-term management reviews and program evaluations on issues\nof concern to SSA, Congress, and the general public.\n                                              Office of Investigations\nOI conducts investigations related to fraud, waste, abuse, and mismanagement in SSA programs and operations.\nThis includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing\ntheir official duties. This office serves as liaison to the Department of Justice on all matters relating to the\ninvestigation of SSA programs and personnel. OI also conducts joint investigations with other Federal, State,\nand local law enforcement agencies.\n                            Office of the Counsel to the Inspector General\nOCIG provides independent legal advice and counsel to the IG on various matters, including statutes,\nregulations, legislation, and policy directives. OCIG also advises the IG on investigative procedures and\ntechniques, as well as on legal implications and conclusions to be drawn from audit and investigative material.\nAlso, OCIG administers the Civil Monetary Penalty program.\n                                        Office of External Relations\nOER manages OIG\xe2\x80\x99s external and public affairs programs, and serves as the principal advisor on news releases\nand in providing information to the various news reporting services. OER develops OIG\xe2\x80\x99s media and public\ninformation policies, directs OIG\xe2\x80\x99s external and public affairs programs, and serves as the primary contact for\nthose seeking information about OIG. OER prepares OIG publications, speeches, and presentations to internal\nand external organizations, and responds to Congressional correspondence.\n                           Office of Technology and Resource Management\nOTRM supports OIG by providing information management and systems security. OTRM also coordinates\nOIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human resources. In addition, OTRM is the\nfocal point for OIG\xe2\x80\x99s strategic planning function, and the development and monitoring of performance\nmeasures. In addition, OTRM receives and assigns for action allegations of criminal and administrative\nviolations of Social Security laws, identifies fugitives receiving benefit payments from SSA, and provides\ntechnological assistance to investigations.\n\x0c'